Reverse proxy database system and method

US 9,043,895 B2
Filed: 08/01/2011
Issued: 05/26/2015
Est. Priority Date: 08/02/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A method for providing security for a plurality of databases, the method comprising:

providing a plurality of servers;

providing said plurality of databases running on a first portion of said plurality of servers;

providing a plurality of database accessing applications running on a second portion of said plurality of servers;

providing a first network and a second network;

providing a reverse database proxy running on a third portion of said plurality of servers for handling database queries between said plurality of accessing applications and said plurality of database;

wherein said plurality of accessing applications communicates with said reverse database proxy over said first network and wherein said reverse database proxy communicates with said plurality of databases over said second network;

wherein said reverse database proxy comprises a front end parser and a back end parser;

providing a first secure channel over said first network, wherein said first secure channel comprises a first certificate, and wherein said reverse database proxy issues said first certificate to one of said plurality of accessing applications, such that communication between said reverse database proxy and said one of said plurality of accessing applications is secured by a first certificate;

providing a second secure channel over said second network, wherein said second secure channel comprises a second certificate, and wherein said reverse database proxy issues said second certificate to a receiving database, such that communication between said reverse database proxy and said receiving database is secured by a second certificate;

sending a database query from said one of said plurality of accessing applications to said reverse database proxy over said first secure channel;

parsing by said front end parser of said database query from said one of said plurality of accessing applications into a general format understandable by said reverse database proxy;

analyzing said database query by said reverse database proxy to determine whether said database query is acceptable according to at least one security policy and to determine an address of said receiving database from one of said plurality of databases for receiving said database query;

when said database query is acceptable, passing said database query to said back end parser for parsing into a format according to the requirements of said receiving database;

passing said database query to said address of said receiving database over said second secure channel by said reverse database proxy;

receiving a database response by said reverse database proxy from said receiving database over said second secure channel;

parsing said response from said receiving database by said back end parser into a general format understandable by said reverse database proxy;

analyzing said response by said reverse database proxy to determine whether said database response is acceptable according to at least one security policy;

when said database response is acceptable, then passing said database response to said front end parser for parsing into a format according to the requirements of said one of said plurality of accessing applications; and

transferring said database response to said one of said plurality of accessing application over said first secure channel by said reverse database proxy;

wherein said analyzing said database response by said reverse database proxy comprises determining whether sensitive information is included in said database response; and

when included, removing said sensitive information before said database response is transferred to said accessing application.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing a comprehensive security solution for databases through a reverse proxy, optionally featuring translating database queries across a plurality of different database platforms.

13 Citations

View as Search Results

21 Claims

1. A method for providing security for a plurality of databases, the method comprising:
- providing a plurality of servers;
  
  providing said plurality of databases running on a first portion of said plurality of servers;
  
  providing a plurality of database accessing applications running on a second portion of said plurality of servers;
  
  providing a first network and a second network;
  
  providing a reverse database proxy running on a third portion of said plurality of servers for handling database queries between said plurality of accessing applications and said plurality of database;
  
  wherein said plurality of accessing applications communicates with said reverse database proxy over said first network and wherein said reverse database proxy communicates with said plurality of databases over said second network;
  
  wherein said reverse database proxy comprises a front end parser and a back end parser;
  
  providing a first secure channel over said first network, wherein said first secure channel comprises a first certificate, and wherein said reverse database proxy issues said first certificate to one of said plurality of accessing applications, such that communication between said reverse database proxy and said one of said plurality of accessing applications is secured by a first certificate;
  
  providing a second secure channel over said second network, wherein said second secure channel comprises a second certificate, and wherein said reverse database proxy issues said second certificate to a receiving database, such that communication between said reverse database proxy and said receiving database is secured by a second certificate;
  
  sending a database query from said one of said plurality of accessing applications to said reverse database proxy over said first secure channel;
  
  parsing by said front end parser of said database query from said one of said plurality of accessing applications into a general format understandable by said reverse database proxy;
  
  analyzing said database query by said reverse database proxy to determine whether said database query is acceptable according to at least one security policy and to determine an address of said receiving database from one of said plurality of databases for receiving said database query;
  
  when said database query is acceptable, passing said database query to said back end parser for parsing into a format according to the requirements of said receiving database;
  
  passing said database query to said address of said receiving database over said second secure channel by said reverse database proxy;
  
  receiving a database response by said reverse database proxy from said receiving database over said second secure channel;
  
  parsing said response from said receiving database by said back end parser into a general format understandable by said reverse database proxy;
  
  analyzing said response by said reverse database proxy to determine whether said database response is acceptable according to at least one security policy;
  
  when said database response is acceptable, then passing said database response to said front end parser for parsing into a format according to the requirements of said one of said plurality of accessing applications; and
  
  transferring said database response to said one of said plurality of accessing application over said first secure channel by said reverse database proxy;
  
  wherein said analyzing said database response by said reverse database proxy comprises determining whether sensitive information is included in said database response; and
  
  when included, removing said sensitive information before said database response is transferred to said accessing application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said analyzing said database query by said reverse database proxy to determine whether said database query is acceptable further comprises determining whether said database query requires translation and, when required translating said database query before transmission to said database.
  - 3. The method of claim 2, wherein said analyzing said database response by said reverse database proxy comprises determining whether said database response requires translation and, when required translating said database response before transmitting to said one of said plurality of accessing applications.
  - 4. The method of claim 1 wherein said first certificate and second certificate are the same certificate.
  - 5. The method of claim 1 wherein said first network and said second network are the same network.
  - 6. The method of claim 1 wherein said second portion and said third portion of said plurality of servers are the same portion, such that said reverse database proxy and said plurality of databases run on the same servers.
  - 7. The method of claim 1 wherein said second portion and said third portion of said plurality of servers run on the same hardware.

8. A method for providing security for a plurality of databases, the method comprising:
- providing a plurality of servers;
  
  providing said plurality of databases running on a first portion of said plurality of servers;
  
  providing a plurality of database accessing applications running on a second portion of said plurality of servers;
  
  providing a network;
  
  providing a reverse database proxy running on a third portion of said plurality of servers for handling database queries between the accessing applications and the databases over said network;
  
  providing a secure channel over said network between each of said accessing applications and said reverse database proxy and between said reverse database proxy and each of said databases;
  
  wherein said secure channel comprises at least one certificate issued for communication between each of said accessing applications and each of said databases;
  
  said certificate transferred from said accessing application to said database through said reverse proxy;
  
  sending a database query from said accessing application to said reverse database proxy over said secured channel;
  
  analyzing said database query by said reverse database proxy to determine whether said database query is acceptable according to at least one policy and to determine an address of a database for receiving said database query;
  
  when said database query is acceptable, passing said database query to said address of said database over said secured channel by said reverse database proxy;
  
  receiving a database response by said reverse database proxy from said database;
  
  analyzing said database response by said reverse database proxy to determine whether said database response is acceptable according to at least one policy; and
  
  when said database response is acceptable, then transferring said database response to said accessing application over said secure channel by said reverse database proxy;
  
  wherein said analyzing said database query by said reverse database proxy to determine whether said database query is acceptable further comprises determining whether said database query requires translation and, when required, translating said database query before transmission to said database, and wherein said analyzing said database response by said reverse database proxy comprises determining whether said database response requires translation and, when required, translating said database response before transmitting to said accessing application.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8, wherein at least a portion of said database query or said database response is not translated.
  - 10. The method of claim 8, wherein said database is one of:
    - a 3D database, a flat file database, an hierarchical database, an object database or a relational database.
  - 11. The method of claim 10, wherein said relational database is operated by one of:
    - MySQL, Microsoft SQL, Oracle SQL, or PostgreSQL.

12. A method for providing security for a plurality of databases, the method comprising:
- providing a plurality of servers;
  
  providing said plurality of databases running on a first portion of said plurality of servers;
  
  providing a plurality of database accessing applications running on a second portion of said plurality of servers;
  
  providing a network;
  
  providing a reverse database proxy running on a third portion of said plurality of servers for handling database queries between the accessing applications and the databases over said network, wherein said reverse database proxy further compromises a caching module;
  
  providing a secure channel over said network between each of said accessing applications and said reverse database proxy and between said reverse database proxy and each of said databases;
  
  wherein said secure channel comprises at least one certificate issued for communication between each of said accessing applications and each of said databases;
  
  said certificate transferred from said accessing application to said database through said reverse proxy;
  
  sending a database query from said accessing application to said reverse database proxy over said secure channel;
  
  analyzing said database query by said reverse database proxy to determine whether said database query is acceptable according to at least one policy and to determine an address of a database for receiving said database query;
  
  when said database query is acceptable, passing said database query over said secure channel to said address of said database by said reverse database proxy;
  
  receiving a database response by said reverse database proxy from said database;
  
  analyzing said database response by said reverse database proxy to determine whether said database response is acceptable according to at least one policy;
  
  when said database response is acceptable, then transferring said database response to said accessing application over said secure channel by said reverse database proxy; and
  
  caching said database query and said database response in said caching module to form a database query database response pair.
- View Dependent Claims (13, 14)
- - 13. The method of claim 12, wherein said caching module will transfer said database response of said database query database response pair to said accessing application when a subsequent database query matches said database query of said database query database response pair.
  - 14. The method of claim 12, wherein said database query database response pair is stored in said caching module according to at least one of:
    - popularity, security, type of information provided, or type of database.

15. A method for providing security for a plurality of databases, the method comprising:
- providing a plurality of servers;
  
  providing said plurality of databases running on a first portion of said plurality of servers;
  
  providing a plurality of database accessing applications running on a second portion of said plurality of servers;
  
  providing a network;
  
  providing a reverse database proxy running on a third portion of said plurality of servers for handling database queries between the accessing applications and the databases over said network, wherein said reverse database proxy further compromises a plurality of front ends each identified by one of a port or IP address and wherein each of said plurality of front ends corresponds to one of said plurality of databases;
  
  providing a secure channel over said network between each of said accessing applications and said reverse database proxy and between said reverse database proxy and each of said databases;
  
  wherein said secure channel comprises at least one certificate issued for communication between each of said accessing applications and each of said databases;
  
  said certificate transferred from said accessing application to said database through said reverse proxy;
  
  sending a database query from said accessing application to said reverse database proxy over said secure channel;
  
  analyzing said database query by said reverse database proxy to determine whether said database query is acceptable according to at least one policy;
  
  when said database query is acceptable, passing said database query to said one of said plurality of databases over said secure channel based on said one of port or IP address of said front end by said reverse database proxy through a secure channel comprising a certificate;
  
  receiving a database response by said reverse database proxy from said one of said plurality of databases;
  
  analyzing said database response by said reverse database proxy to determine whether said database response is acceptable according to at least one policy; and
  
  when said database response is acceptable, then transferring said database response to said accessing application over said secure channel by said reverse database proxy.

16. A method for providing security for a plurality of databases, the method comprising:
- providing a plurality of servers;
  
  providing said plurality of databases running on a first portion of said plurality of servers;
  
  providing a plurality of database accessing applications running on a second portion of said plurality of servers, wherein said database accessing applications are adapted for communication with a database;
  
  providing a first network and a second network;
  
  providing a reverse database proxy running on a third portion of said plurality of servers for handling database queries between said plurality of accessing applications and said plurality of database;
  
  wherein said plurality of accessing applications communicates with said reverse database proxy over said first network and wherein said reverse database proxy communicates with said plurality of databases over said second network;
  
  providing a first secure channel over said first network, wherein said first secure channel comprises a first certificate, and wherein said reverse database proxy issues said first certificate to one of said plurality of accessing applications, such that communication between said reverse database proxy and said one of said plurality of accessing applications is secured by a first certificate;
  
  providing a second secure channel over said second network, wherein said second secure channel comprises a second certificate, and wherein said reverse database proxy issues said second certificate to a receiving database, such that communication between said reverse database proxy and said receiving database is secured by a second certificate;
  
  sending a database query from one of said plurality of accessing applications to said reverse database proxy over said first secure channel;
  
  analyzing said database query by said reverse database proxy to determine whether said database query is acceptable according to at least one security policy and to determine an address of a receiving database from one of said plurality of databases for receiving said database query;
  
  when said database query is acceptable, passing said database query to said address of said receiving database over said second secure channel by said reverse database proxy;
  
  receiving a database response by said reverse database proxy from said receiving database over said second secure channel;
  
  analyzing said database response by said reverse database proxy to determine whether said database response is acceptable according to at least one security policy; and
  
  when said database response is acceptable, then transferring said database response to said one of said plurality of accessing applications over said first secure channel by said reverse database proxy.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The method of claim 16 wherein said analyzing said database response by said reverse database proxy comprises determining whether sensitive information is included in said database response;
    - and, when included, removing said sensitive information before said database response is transferred to said accessing application.
  - 18. The method of claim 16 wherein said first certificate and second certificate are the same certificate.
  - 19. The method of claim 16 wherein said first network and said second network are the same network.
  - 20. The method of claim 16 wherein said second portion and said third portion of said plurality of servers are the same portion, such that said reverse database proxy and said plurality of databases run on the same servers.
  - 21. The method of claim 16 wherein said second portion and said third portion of said plurality of servers run on the same hardware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
HexaTier Services Ltd.
Original Assignee
Green SQL Limited
Inventors
Maman, David, Stremovsky, Yuli
Primary Examiner(s)
Le, Chau
Assistant Examiner(s)
CHAUDHRY, MUHAMMAD U

Application Number

US13/813,662
Publication Number

US 20130133059A1
Time in Patent Office

1,394 Days
Field of Search
US Class Current

726/12
CPC Class Codes

G06F 16/21   Design, administration or m...

G06F 16/2455   Query execution

G06F 16/256   in federated or virtual dat...

H04L 63/0281   Proxies

H04L 63/0823   using certificates cryptogr...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04L 67/2895   Intermediate processing fun...

H04L 69/08   Protocols for interworking;...

Reverse proxy database system and method

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Reverse proxy database system and method

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others